https://github.com/osquery/osquery logo
#fleet
Title
# fleet
s

Swakhil

12/16/2022, 5:47 AM
Hello Folks, I am new to fleet and just configured it on a public DNS. Added a Linux and windows host. Linux worked fine but got some issues for windows host. The first error is
detail_query_network_interface expected single result, got 0
and the second error is software data is not reflecting on the fleet software dashboard and displays the below error in the logs.
Copy code
{"component":"service","err":"detail_query_network_interface expected single result, got 0","method":"IngestFunc","ts":"2022-12-15T11:58:41.396213187Z"}
{"hostID":1,"level":"error","message":"distributed query is denylisted","query":"fleet_detail_query_software_windows","ts":"2022-12-15T11:58:41.396500965Z"}
{"err":"failed","level":"error","op":"directIngestSoftware","ts":"2022-12-15T11:58:41.396717347Z"}
{"level":"warn","op":"directIngestWindowsUpdateHistory","skipped":"KB id not found in HP Development Company, L.P. - SoftwareComponent - 8.10.28.1","ts":"2022-12-15T11:58:41.400430479Z"}
The last line of the above error
KB id not found
displays the same for all the available softwares on that machine. currently I use v4.23.0.
l

Lucas Rodriguez

12/16/2022, 4:29 PM
Hi @Swakhil! Couple of questions: 1. re `detail_query_network_interface`: Maybe you can run the following live query on the host to check why Fleet is getting 0 results:
Copy code
select
    ia.address,
    id.mac
from
    interface_addresses ia
    join interface_details id on id.interface = ia.interface
    join routes r on r.interface = ia.address;
1. re
fleet_detail_query_software_windows
being denylisted: Do you happen to have Python packages installed on the Windows host? (If not, what kind of software does it have installed? how many users does the host have?) 2. re
directIngestWindowsUpdateHistory
: I'll open an issue for this. It seems the title of that particular Windows Update doesn't contain the KB number?...
s

Swakhil

12/19/2022, 12:33 PM
Hi @Lucas Rodriguez, Tried running the query on the host, but nothing was returning. Finally, Installed latest version v4.24.1 which worked perfectly fine. The software data and network details are visible on the individual host page.
r

Raghavendra Hiremath

12/20/2022, 9:40 AM
Any idea on updating websockets on nginx server for fleet to communicate?
r

Raghavendra Hiremath

12/20/2022, 10:07 AM
Thank you @Swakhil, from below code snippet
Copy code
location / {
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header Host $host;

      proxy_pass <http://ws-backend>;

      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
    }
  }
For proxy_pass: should we add our fleet FQDN?
Copy code
example:    proxy_pass <http://FLEET_FQDN>;
s

Swakhil

12/20/2022, 10:19 AM
It should be the upstream server that the request should be forwarded to. Not sure of how you have configured the fleet.
r

Raghavendra Hiremath

12/20/2022, 10:21 AM
Osquery_host ------> nginx proxy (http ---> https) --------> fleet docker listening on 8080, 3 hosts
s

Swakhil

12/20/2022, 10:27 AM
I have configured it through fleet binary, not sure of deploying through docker compose. I can see that you are trying to run fleet on 8080 but nginx is listening on port 443. You can try configuring it on 443 with key & cert path and proxy_pass with fleet fqdn.
r

Raghavendra Hiremath

12/20/2022, 10:35 AM
Sure, yeah I will try it in sometime, should I try configuring 443 on fleet binary/docker itself?
s

Swakhil

12/20/2022, 10:38 AM
It is upto you, if you want to run on https, I found binary would be simple. just directly passing the parameters to fleet binary like below
Copy code
./fleet serve \
  --mysql_address=127.0.0.1:3306 \
  --mysql_database=fleet \
  --mysql_username=root \
  --mysql_password=test@001 \
  --redis_address=127.0.0.1:6379 \
  --server_address=0.0.0.0:443 \
  --server_cert=/etc/ssl/cert-key/server.cert \
  --server_key=/etc/ssl/cert-key/server.key \
  --osquery_result_log_plugin=stdout \
  --osquery_status_log_plugin=stdout \
  --logging_json
r

Raghavendra Hiremath

12/20/2022, 10:40 AM
Okay, you have directly exposed it to run on 443, good. that should not overwrite or cause trouble removing default 8080 right?
s

Swakhil

12/20/2022, 10:42 AM
yes
r

Raghavendra Hiremath

12/20/2022, 10:45 AM
Thank you, I will try it and update you on this in 2 hours
It is working, updated websocket details in nginx configuration
l

Lucas Rodriguez

12/20/2022, 8:25 PM
Tried running the query on the host, but nothing was returning. Finally, Installed latest version v4.24.1 which worked perfectly fine.
@Swakhil So the issue was resolved by updating?